AI vendor and contract check
Assess AI suppliers, SaaS features and contracts before risks remain unresolved with legal, privacy or sales. We translate the AI Act, GDPR, vendor evidence and contract gaps into decision-ready advice.
Vendor check
10 business days
A vendor score and list of missing evidence
Concrete contract questions for the supplier or procurement
Clarity on AI Act role and risk route
GDPR, DPIA and FRIA signals per AI feature
Why vendor checks are commercially critical
Many organizations buy AI through existing SaaS, HR tech, finance tooling or generative AI features. Suppliers often say the product is safe or compliant, but your organization still needs to show what it uses, which role it has and which evidence is missing.
Provider/deployer remains unclear
A contract may mention AI features, but not who carries which AI Act duty during use, modification or resale.
Vendor evidence is too generic
Security certifications help, but they do not replace model information, logging, bias, human oversight or transparency evidence.
Contracts miss audit-ready terms
Without concrete duties on information, updates, incidents and data, procurement and legal carry open risks.
What we check
AI functionality, use case, contract scope and intended use
Provider/deployer/responsibility split per supplier and workflow
AI Act route: high-risk, transparency duty, GPAI chain, low risk or unclear
GDPR and processing: processor role, data flows, training data, logging and retention
Vendor evidence: documentation, model information, evaluations, bias, monitoring and incidents
Contract gaps: audit rights, change notifications, subprocessors, liability and exit
DPIA/FRIA signals and information needed for impact analysis
Human oversight, user transparency and appeal or escalation routes
Red/yellow/green vendor score with missing evidence
Decision memo with contract questions, risks and go/no-go or negotiation points
Approach in 10 business days
Scope and documents
We choose the supplier, contract, AI features, user group and decision point: purchase, renewal, pilot or customer question.
Evidence review
We review vendor docs, security/privacy materials, AI information, product claims, DPA, contract and procurement questions.
AI Act and GDPR mapping
We map role, risk route, data processing, transparency and possible DPIA/FRIA questions side by side.
Contract and governance gaps
We translate missing evidence into concrete contract questions, controls, monitoring and responsibilities.
Decision memo
You receive a short decision document with vendor score, open risks, negotiation points and next steps.
Who this works for
Procurement and vendor management
Teams that want to test AI purchasing without unpacking every contract from scratch.
Legal, privacy and compliance
Teams that need AI Act, GDPR, DPIA/FRIA and contractual duties in one decision view.
HR, finance and operations
Teams buying or renewing AI tools in processes where people, scores, access or oversight are affected.
SaaS and AI suppliers
Vendors that want to answer enterprise customer questions with clearer evidence, role split and contract explanation.
Afterwards you have
A vendor score and list of missing evidence
Concrete contract questions for the supplier or procurement
Clarity on AI Act role and risk route
GDPR, DPIA and FRIA signals per AI feature
A decision memo for purchase, renewal, pilot or customer conversation
Logical next steps
AI inventory and register setup
Record suppliers, AI features and evidence status centrally.
View routeFRIA/DPIA for AI systems
Deepen systems that affect people with privacy and fundamental-rights analysis.
View routeAI Act Readiness Sprint
Connect vendor checks, classification and evidence building in a roadmap.
View routeFrequently asked questions
Is this a legal contract review?
This is an AI governance and compliance check on vendor evidence, AI Act roles, GDPR signals and contract gaps. For formal legal drafting, organizations work with their lawyer or legal adviser where needed.
Can you assess existing suppliers?
Yes. The check works for new suppliers, contract renewals, pilots and existing SaaS features where AI has become part of the product.
What if the vendor has little AI documentation?
Then we record that explicitly as a risk. You receive targeted questions about model information, data use, logging, bias, monitoring, incidents and human oversight.
Is this only for high-risk AI?
No. Transparency duties, GPAI chains, low-risk AI and unclear SaaS features can also create contractual or GDPR risks.
Can this help with enterprise sales?
Yes. For vendors, the check can help answer customer questions about the AI Act, GDPR, security, bias and evidence more consistently.
Do not let vendor claims replace evidence.
Start with the Gap Intake. We then determine which supplier, contracts and AI features belong in the first check.